Hello,
I’m planning to create a new website with a single-page application. While trying out Kirby API, I noticed that the current API endpoints don’t really serve the purpose of my SPA. It’s not a big deal, I can just create my own endpoints.
The idea is to have registered & logged-in users to be able to access the SPA. Let’s call them Basic Users. Registration, sign-in, and all basic user account activities will be carried out in the front-end, so they need not and should not access the panel. But to enable the API for the SPA, I need to allow panel access for them:
/site/blueprints/users/basic.yml
title: Basic User
default: true
# Basic user needs to access panel for the Rest API, but nothing else
permissions:
access:
*: false
panel: true
pages: false
files: false
languages: false
site: false
user: false
users: false
However, I’m a bit concerned. With the above permissions, a basic user…
- is still able to access the panel and see their own settings page. While the permissions seem to prevent the user from doing any harm, it’s a bit awkward.
- can still send a GET request to
/api/users
and receive a list of all other users, effectively receiving a list of email addresses registered to the service, which of course is a big no.
I’m not sure if the latter one is a bug. But in any case, at this point, I’d rather hear if there is a way to disable the default endpoints completely for Basic users, or other ideas on how to reinforce the API security.